You are here: start » 2010 » 05 » 13 » alix_-_networking

alix - networking
- /etc/network/interfaces
- wifi
  - hostapd
- connectivity
  - dsl
  - IPv6
    - radvd
  - dyndns
  - firewalling
    - IPv4
    - IPv6

alix - networking

/etc/network/interfaces

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.53.1
netmask 255.255.255.0

# internet
auto eth1
iface eth1 inet ppp 
pre-up /sbin/ifconfig eth1 up
provider qsc

# hook to my current network
auto eth2
iface eth2 inet static
address 192.168.53.240
netmask 255.255.255.0

# wlan
auto wlan0
iface wlan0 inet static
address 192.168.52.1
netmask 255.255.255.0

connectivity

dsl

Create your pppoe settings using pppoeconfig.

If you want IPv6, sign up for an tunnelbroker.net account and claim a /48 additional to the /64 they offer by default. We want to separate wifi & ethernet, therefore it is required to have a separate netmask for each network. As IPv6 stateless autoconfiguration requires a /64 for each interface, we need at least a /63, but the next we can get is a /48. So we have to claim 2^80 (1208925819614629174706176) IPv6 addresses, only to be able to have IPv6 on wifi. Thats sick, yes, but there are no alternatives, as dhcpv6 is not packaged, distributed or anything at this moment, for server and clients, it does not work by default, stateless autoconfiguration does.

Place your credentials:

/etc/default/tunnelbroker

## tunnelbroker.net credentials
HE_USERID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
HE_GLOBAL_TUNNEL_ID=4711
HE_PASS=PASS
HE_IP6_PREFIX=2001:470:xxxx:xxxx::2
HE_IP6_MASK=64
HE_IP6_NET="$HE_IP6_PREFIX/$HE_IP6_MASK"
HE_ROUTED="2001:470:xxxx::/48"
HE_REMOTE_HOST=216.66.80.30
INTERNAL_IFACE="eth0"
ROUTED_IFACES="eth0 wlan0"
EXTERNAL_IFACE=ppp0
EXTERNAL_IP4=$( ifconfig $EXTERNAL_IFACE | grep inet | sed 's/:/ /' | awk ' { print $3 }' )
 
# can be standard
HE_DEVICE_NAME=he-ipv6
 
eth0_NET="2001:470:xxxx:1::/64"
wlan0_NET="2001:470:xxxx:2::/64"

And create a startup script: /etc/init.d/tunnelbroker

#!/bin/sh
# 
# tunnelbroker
 
set +e   # Don't exit on error status
 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=tunnelbroker
DESC="create ipv6 tunnel using tunnelbroker.net"
 
if [ -r /etc/default/$NAME ]; then
	. /etc/default/$NAME
fi
 
start()
{
	echo "updating tunnelbroker.net ipv4 endpoint"
	HE_PASS_HASH=$(echo -n $HE_PASS | md5sum | awk ' { print $1 } ')
	wget --no-check-certificate -O - "https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$EXTERNAL_IP4&pass=$HE_PASS_HASH&user_id=$HE_USERID&tunnel_id=$HE_GLOBAL_TUNNEL_ID"
	echo ""
 
	echo "creating new tunnel"
	ip tunnel add $HE_DEVICE_NAME mode sit remote $HE_REMOTE_HOST local $EXTERNAL_IP4 ttl 255
	ip link set $HE_DEVICE_NAME up
	ip addr add $HE_IP6_NET dev $HE_DEVICE_NAME
	ip route add ::/0 dev $HE_DEVICE_NAME
 
	echo "removing tunnel self-route"
	ip route del $HE_IP6_NET dev $HE_DEVICE_NAME
 
#	for dev in $INTERNAL_IFACES; do
#		echo "creating ipv6 route to $dev"
#		ip route add $HE_IP6_NET dev $dev
#	done
	for dev in $ROUTED_IFACES; do
		net=$(eval echo \${${dev}_NET})
                echo create $dev $net                    
		ip route add $net dev $dev 
	done
 
	echo "writing new radvd.conf"
    	for dev in $ROUTED_IFACES; do
		net=$(eval echo \${${dev}_NET})
		echo "interface $dev
		{
		   AdvSendAdvert on;
		   MaxRtrAdvInterval 10;
		   prefix $net
		   {
			    AdvAutonomous on;
			    AdvOnLink on;
			    AdvRouterAddr on;
	        	    AdvValidLifetime 60;
		            AdvPreferredLifetime 20;
		   };
	};"
	done > /etc/radvd.conf
#	done
#   /etc/init.d/radvd start
 
}
 
 
stop()
{
	echo "deleting old route and tunnel"
#	for dev in $INTERNAL_IFACES; do
#		ip route del $HE_IP6_NET dev $dev
#	done
 
        for dev in $ROUTED_IFACES; do
                net=$(eval echo \${${dev}_NET})
		ip route del $net dev $dev
	done
 
	ip tunnel del $HE_DEVICE_NAME
#    /etc/init.d/radvd stop
}
 
case "$1" in
  start)
	echo "Starting $DESC: $NAME"
	start
	;;
  stop)
	echo "Stopping $DESC: $NAME"
	stop
	;;
  restart|force-reload)
	stop
  start
	;;
  *)
	echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
 
exit 0

Create the IPv6 tunnel once your dsl connection succeeds: /etc/ppp/ip-up.d/tunnelbroker

#!/bin/sh
/etc/init.d/tunnelbroker restart
/etc/init.d/radvd restart

Shutdown if your dsl connection shuts down: /etc/ppp/ip-down.d/tunnelbroker

#!/bin/sh
/etc/init.d/tunnelbroker stop
/etc/init.d/radvd stop

radvd

To provide stateless autoconfiguration, we have to install radvd.

aptitude install radvd

/etc/ppp/ip-up.d/tunnelbroker

#!/bin/sh
/etc/init.d/tunnelbroker restart
/etc/init.d/radvd restart

dyndns

If you use dyndns services, updating the records is handy.

aptitude install ez-ipupdate

service-type=dyndns
user=USERNAME:PASSWORD
host=YOU.dyndns.org
interface=ppp0
max-interval=2073600
cache-file=/tmp/ez-ipupdate.YOU.cache.ppp0
daemon
wildcard

/etc/ez-ipupdate/YOU.dyndns.org.conf

firewalling

IPv4

/etc/ppp/ip-up.d/firewall4

#!/bin/sh
 
PATH=/usr/sbin:/sbin:/bin:/usr/bin
 
NAME=firewall
if [ -r /etc/default/$NAME ]; then
	. /etc/default/$NAME
fi
 
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
 
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
 
 
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $OUT4IF -j ACCEPT
iptables -A FORWARD -i $OUT4IF -o $IN4IF -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $IN4IF -o $OUT4IF -j ACCEPT
 
# Masquerade.
iptables -t nat -A POSTROUTING -o $OUT4IF -j MASQUERADE
 
# Don't forward from the outside to the inside.
iptables -A FORWARD -i $OUT4IF -o $OUT4IF -j REJECT
 
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

Note: I do not use this firewall, in fact it does note even work as the /etc/default/firewall file is missing

IPv6

/etc/ppp/ip-up.d/firewall6

#!/bin/bash
IPT6="/sbin/ip6tables"
PUBIF="eth1"
echo "Starting IPv6 firewall..."
$IPT6 -F
$IPT6 -X
$IPT6 -t mangle -F
$IPT6 -t mangle -X
 
#unlimited access to loopback
$IPT6 -A INPUT -i lo -j ACCEPT
$IPT6 -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
 
# Allow full outgoing connection but no incomming stuff
$IPT6 -A INPUT -i $PUBIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# allow incoming ICMP ping pong stuff
$IPT6 -A INPUT -i $PUBIF -p ipv6-icmp -j ACCEPT
$IPT6 -A OUTPUT -o $PUBIF -p ipv6-icmp -j ACCEPT
 
############# add your custom rules below ############
### open IPv6  port 80
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 80 -j ACCEPT
### open IPv6  port 22
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 22 -j ACCEPT
### open IPv6  port 25
#$IPT6 -A INPUT -i $PUBIF -p tcp --destination-port 25 -j ACCEPT
############ End custome rules ################
 
#### no need to edit below ###
# log everything else
$IPT6 -A INPUT -i $PUBIF -j LOG
$IPT6 -A INPUT -i $PUBIF -j DROP

source

This blog post was created on 2010-05-13 at 03:20 and last modified on 2010-06-15 at 14:16 by Markus. It is tagged with

Comments

2010/05/13/alix_-_networking.txt · Last modified: 2010/06/15 14:16 by common

alix - networking

/etc/network/interfaces

wifi

hostapd

connectivity

dsl

IPv6

radvd

dyndns

firewalling

IPv4

IPv6

Comments

Related

Recent Posts

Tags

Comments